registry  /  rolebox  /  0.22.0

rolebox@0.22.0

OpenCode plugin — define custom AI agent roles via YAML with per-role prompts, models, skills, and permissions

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 434 file(s), 1.94 MB of source, external domains: api.github.com, en.wikipedia.org, github.com, hn.algolia.com, html.duckduckgo.com, news.ycombinator.com, r.jina.ai, raw.githubusercontent.com, registry.npmjs.org, s.jina.ai, www.npmjs.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/cli/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/cli/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/function/handlers-loader.jsView file
19try { L20: const mod = (await import(__rewriteRelativeImportExtension(abs))); L21: cache.set(abs, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/function/handlers-loader.jsView on unpkg · L19
dist/cli/registry-client.jsView file
matchType = previous_version_dangerous_delta matchedPackage = rolebox@0.21.0 matchedIdentity = npm:cm9sZWJveA:0.21.0 similarity = 0.733 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/registry-client.jsView on unpkg

Findings

2 High6 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/cli/registry-client.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/function/handlers-loader.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings